Carles Figuera (Migrated from SEC-2465) said:
OS: Windows 7 (64 bits) JDK: 1.6.0_45 WebLogic's Version: 12.1.1.0.6 Spring Security Version: 3.2.0.RELEASE
When a filter is created in WebLogic with method servletContext.addFilter(String filterName, Filter filter), the filter is created but never initialized. So WebLogic users must use servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass) to avoid this bug.
When we extends AbstractSecurityWebApplicationInitializer, this class uses the first addFilter() method mentioned, so in WebLogic, the filter never calls init() method. (AbstractSecurityWebApplicationInitializer.java:213)
It's a WebLogic's fault and not a Spring's one, but I think you may know it.
Comment From: spring-projects-issues
Rob Winch said:
Thanks for pointing this out. I found others referring to having the same issue with Weblogic but was wondering if you had a reference to a bug within Weblogic itself? It would be nice to be able to follow the actual bug in Weblogic.
Comment From: spring-projects-issues
Bruce Brouwer said:
I had already reported this. Oracle acknowledged it as a bug: 17382048, fixed with patch 16769849. It is reported as being fixed in WLS 12.1.3
Comment From: spring-projects-issues
Rob Winch said:
Thank you [~bruce.brouwer] I was rather hesitant in the first place to make changes for such an obvious bug in WebLogic. In light of the fact it is fixed I am going to mark this as Won't Fix.
Comment From: spring-projects-issues
David Kerwick said:
Hi, might be a long shot but is there a work around for this as an upgrade to 12.1.3 could take a while for us.
Thanks David
Comment From: spring-projects-issues
Rob Winch said:
David,
You can create a copy of AbstractSecurityWebApplicationInitializer which uses servletContext.addFilter(String filterName, java.lang.Class<? extends Filter> filterClass) instead.
Cheers, Rob
Comment From: spring-projects-issues
David Kerwick said:
That's great thanks, I never think of changing a framework class
David
Comment From: spring-projects-issues
Rob Winch said:
David,
Just to point this out. You do not even need AbstractSecurityWebApplicationInitializer. This is just a convenience class to configure Spring Security using java config. Alternatively, you can implement your own WebApplicationInitializer or simply configure the Filter in the web.xml.
Cheers, Rob
Comment From: manisk09
Rob,
I ran into similar issue with securityFilterChain for WebLogic. Can you please suggest me on how I could implement WebApplicationInitializer in my case.
https://stackoverflow.com/questions/72578781/soap-web-service-is-sending-response-even-when-the-request-does-not-have-okta-to
Thanks, Mani.